@bookedsolid/rea 0.36.0 → 0.38.0

package/hooks/attribution-advisory.sh

@@ -1,170 +1,58 @@
 #!/bin/bash
 # PreToolUse hook: attribution-advisory.sh
 # 0.32.0+ — Node-binary shim for `rea hook attribution-advisory`.
+# 0.38.0+ — migrated to `_lib/shim-runtime.sh` (shared runtime).
 #
-# Pre-0.32.0 the gate's full body lived here as bash (162 LOC,
-# including the AI-attribution pattern catalog and segment-relevance
-# gating). The migration to the parser-backed Node binary moves all
-# of that into `src/hooks/attribution-advisory/index.ts`. This shim
-# is the Claude Code dispatcher's view of the hook — it forwards
-# stdin to the CLI and exits with whatever the CLI returns.
+# Blocking-tier when `policy.block_ai_attribution: true`. Pre-port body
+# was 162 LOC; full migration in `src/hooks/attribution-advisory/index.ts`.
 #
-# Behavioral contract is preserved byte-for-byte: exit 0 on
-# disabled-policy / non-relevant / clean-command, exit 2 on HALT /
-# attribution detected / malformed payload (fail-closed).
+# # Relevance pre-gate
 #
-# # CLI-resolution trust boundary
+# Substring match for `git commit` or `gh pr create|edit` ANYWHERE in
+# the command string (allow shell prefixes). Plain substring scan is
+# used instead of JSON-aware regex because escaped quotes in quoted
+# env prefixes (`MODE="x" gh pr create …`) trip JSON-anchored patterns.
+# Over-trigger costs one CLI spawn; the Node body handles correctness.
 #
-# Codex round 1 P1 (2026-05-15): realpath sandbox check + version
-# probe. Mirrors delegation-advisory.sh §3. Defends against
-# symlink-out + tarball-replacement attacks on the resolved CLI AND
-# stale-node_modules version skew that would otherwise turn every
-# Bash dispatch into a hard failure.
+# # Policy short-circuit (codex round 2 P1 from 0.37.0)
+#
+# The block_ai_attribution policy read runs AFTER the sandbox check so
+# REA_ARGV is trusted for Tier-1 reads. When the policy is disabled,
+# exit 0 cleanly — the pre-port bash body no-op'd when the key was
+# absent or false.
 
 set -uo pipefail
 
-# 1. HALT check.
 # shellcheck source=_lib/halt-check.sh
 source "$(dirname "$0")/_lib/halt-check.sh"
 check_halt
 REA_ROOT=$(rea_root)
 
-proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
-
-# 2. Relevance pre-gate (0.32.0 round-5 P1, round-6 fix). PreToolUse
-#    Bash matchers fire on EVERY shell command, but this hook only
-#    enforces against `git commit` / `gh pr create|edit`. Capture
-#    stdin + check relevance FIRST so unrelated commands (ls,
-#    pnpm test, …) exit 0 even when the CLI is missing/stale/
-#    sandboxed-out.
-#
-#    Match the pattern ANYWHERE in the command string (after the
-#    opening quote, then `[^"]*` for any leading shell prefix —
-#    `sudo`, `time`, env assignments like `FOO=x git commit …`).
-#    Round-6 P1: prior round-5 pattern anchored at the start of the
-#    JSON value and missed all prefixed forms.
-INPUT=$(cat)
-# Substring scan (NOT JSON-aware). Round-7 P2: any JSON-aware regex
-# anchored on `"command":"...` gets tripped by escaped quotes in
-# quoted env prefixes (`FOO="two words" git commit …` → the payload
-# carries `\"two words\"` and `[^"]*` stops at the escaped quote).
-# Plain substring match has no such edge: it over-triggers only on
-# the rare case where the pattern appears inside a quoted argument
-# (`echo "gh pr create"`), and the Node body handles that correctly.
-# This hook only fires on `tool_name=Bash`, so we don't risk matching
-# unrelated payload shapes.
-RELEVANT=0
-if printf '%s' "$INPUT" | grep -qE '(git[[:space:]]+commit|gh[[:space:]]+pr[[:space:]]+(create|edit))'; then
-  RELEVANT=1
-fi
-if [ "$RELEVANT" -eq 0 ]; then
-  # Irrelevant Bash call — nothing the pre-0.32.0 body would have
-  # processed. Always exit 0 regardless of CLI state.
-  exit 0
-fi
-
-# 2b. Policy short-circuit (round-6 P2). The pre-0.32.0 bash body
-#     no-op'd when `block_ai_attribution` was absent or false. Without
-#     this check, an unbuilt/stale install would refuse `git commit`
-#     even on repos that DELIBERATELY disable the attribution gate.
-#     Read the policy via a simple grep — the canonical loader
-#     handles inline forms but we only need block form here, and a
-#     conservative "true-and-only-true counts" rule matches the
-#     intent (false / absent / inline-only all → no enforcement).
-POLICY_FILE="$REA_ROOT/.rea/policy.yaml"
-if [ ! -f "$POLICY_FILE" ] || ! grep -qE '^block_ai_attribution:[[:space:]]*true([[:space:]]|$)' "$POLICY_FILE"; then
-  # Attribution blocking disabled — pre-0.32.0 bash body would have
-  # exited 0 here. Don't refuse on stale-install grounds.
-  exit 0
-fi
-
-# 3. Resolve the rea CLI.
-REA_ARGV=()
-RESOLVED_CLI_PATH=""
-if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
-elif [ -f "$proj/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
-fi
-
-if [ "${#REA_ARGV[@]}" -eq 0 ]; then
-  # 0.32.0 round-4 P2: when `block_ai_attribution: true`, this hook is
-  # blocking-tier — the pre-0.32.0 bash body enforced the policy
-  # without a compiled CLI. Falling through to exit 0 would silently
-  # let AI-attribution patterns through every git commit / gh pr
-  # create-or-edit until the operator rebuilds. Fail closed and tell
-  # the operator how to restore protection.
-  printf 'rea: attribution-advisory cannot run — the rea CLI is not built.\n' >&2
-  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
-  printf 'This shim fails closed because the pre-0.32.0 bash body enforced attribution policy without a CLI.\n' >&2
-  exit 2
-fi
-
-# 3. Realpath sandbox check.
-if ! command -v node >/dev/null 2>&1; then
-  printf 'rea: attribution-advisory cannot run — `node` is not on PATH.\n' >&2
-  printf 'Install Node 22+ (engines.node) to restore enforcement.\n' >&2
-  exit 2
-fi
-
-sandbox_check=$(node -e '
-  const fs = require("fs");
-  const path = require("path");
-  const cli = process.argv[1];
-  const projDir = process.argv[2];
-  let real, realProj;
-  try { real = fs.realpathSync(cli); } catch (e) {
-    process.stdout.write("bad:realpath"); process.exit(1);
-  }
-  try { realProj = fs.realpathSync(projDir); } catch (e) {
-    process.stdout.write("bad:realpath-proj"); process.exit(1);
-  }
-  const sep = path.sep;
-  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
-  if (!(real === realProj || real.startsWith(projWithSep))) {
-    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
-  }
-  let cur = path.dirname(path.dirname(path.dirname(real)));
-  let found = false;
-  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
-    const pj = path.join(cur, "package.json");
-    if (fs.existsSync(pj)) {
-      try {
-        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
-        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
-      } catch (e) { /* keep walking */ }
-    }
-    cur = path.dirname(cur);
-  }
-  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
-  process.stdout.write("ok");
-' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
-
-if [ "$sandbox_check" != "ok" ]; then
-  # 0.32.0 round-4 P2: fail closed (blocking-tier when policy enables —
-  # see top-of-file rationale). Sandbox failure means the CLI cannot
-  # be authenticated; refuse rather than silently bypass.
-  printf 'rea: attribution-advisory FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
-  exit 2
-fi
-
-# 4. Version-probe: confirm the resolved CLI implements
-#    `hook attribution-advisory`. Codex round 1 P1.
-probe_out=$("${REA_ARGV[@]}" hook attribution-advisory --help 2>&1)
-probe_status=$?
-if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'attribution-advisory'; then
-  # 0.32.0 round-4 P2: stale/older CLI without the new subcommand is
-  # NOT advisory-tier fall-through — the bash body it replaces
-  # enforced when policy enabled. Fail closed and tell the operator
-  # exactly how to fix.
-  printf 'rea: this shim requires the `rea hook attribution-advisory` subcommand (introduced in 0.32.0).\n' >&2
-  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
-  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
-  exit 2
-fi
-
-# 5. Forward stdin (already captured up-front for the relevance gate).
-printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook attribution-advisory
-exit $?
+SHIM_NAME="attribution-advisory"
+SHIM_INTRODUCED_IN="0.32.0"
+SHIM_FAIL_OPEN=0
+SHIM_REFUSAL_NOUN="attribution-policy enforcement"
+
+shim_is_relevant() {
+  if printf '%s' "$INPUT" | grep -qE '(git[[:space:]]+commit|gh[[:space:]]+pr[[:space:]]+(create|edit))'; then
+    return 0
+  fi
+  return 1
+}
+
+shim_policy_short_circuit() {
+  # shellcheck source=_lib/policy-reader.sh
+  source "$(dirname "$0")/_lib/policy-reader.sh"
+  local attr_enabled
+  attr_enabled=$(policy_reader_get block_ai_attribution)
+  if [ "$attr_enabled" != "true" ]; then
+    # Attribution blocking disabled (or unreadable on Tier 3 fallback +
+    # missing policy file) — pre-port body exit 0.
+    return 0
+  fi
+  return 1
+}
+
+# shellcheck source=_lib/shim-runtime.sh
+source "$(dirname "$0")/_lib/shim-runtime.sh"
+shim_run

package/hooks/blocked-paths-bash-gate.sh

@@ -1,177 +1,63 @@
 #!/bin/bash
 # PreToolUse hook: blocked-paths-bash-gate.sh
 # 0.35.0+ — Node-binary shim for `rea hook blocked-paths-bash-gate`.
+# 0.38.0+ — migrated to `_lib/shim-runtime.sh` (shared runtime).
 #
-# Pre-0.35.0 this was a thin bash shim over `rea hook scan-bash --mode
-# blocked` (the parser-backed AST walker that closes 9 bypass classes
-# from helix-023 + discord-ops Round 13 — see `src/hooks/bash-scanner/`).
-# The full bash body is preserved at
+# Tier-1 Bash gate. Full bash body preserved at
 # `__tests__/hooks/parity/baselines/blocked-paths-bash-gate.sh.pre-0.35.0`.
+# Migration lives in `src/hooks/blocked-paths-bash-gate/index.ts`.
 #
-# This shim now resolves the CLI through the same 2-tier sandboxed
-# resolver as the 0.32.0+ pilots and calls `rea hook blocked-paths-
-# bash-gate` directly — eliminating the shim → CLI → scanner-module
-# subprocess hop entirely.
+# SHIM_ENFORCE_CLI_SHAPE=1: 0.35.0 codex round-1 P1 — enforce
+# dist/cli/index.js shape on the resolved CLI.
 #
-# Behavioral contract is preserved byte-for-byte: exit 0 on allow,
-# exit 2 on HALT / verdict block / malformed payload / sandbox fail.
+# # Relevance pre-gate (CLI-missing only)
 #
-# # CLI-resolution trust boundary
-#
-# Mirrors the 0.32.0 final shim shape. The resolved CLI MUST live
-# INSIDE realpath(CLAUDE_PROJECT_DIR) AND have an ancestor
-# `package.json` whose `name` is `@bookedsolid/rea`. Defends against
-# symlink-out and tarball-replacement attacks on the resolved CLI.
-#
-# # Fail-closed posture
-#
-# blocked-paths-bash-gate is a Tier-1 security gate (PreToolUse Bash).
-# The pre-0.35.0 bash body refused on uncertainty for every failure
-# class. Early-exit branches (CLI missing, node missing, sandbox failed,
-# version skew) fail closed AFTER the relevance pre-gate passes.
-# Irrelevant Bash calls exit 0 regardless of CLI state.
-#
-# # Relevance pre-gate
-#
-# Same posture as 0.34.0 dangerous-bash + secret-scanner. When the CLI
-# is missing, refuse only when the extracted command MENTIONS a path
-# from `policy.blocked_paths`. Empty policy → no enforcement, exit 0.
-# This unblocks the install path itself: `npx rea init`, pre-`pnpm build`
-# checkouts can still run benign Bash like `ls`/`mkdir`/`pnpm install`.
+# Substring scan over the extracted command against any
+# policy.blocked_paths entry. Empty/missing policy → no enforcement,
+# exit 0 (matches the pre-port bash body's allow-on-no-policy posture).
 
 set -uo pipefail
 
-# 1. HALT check.
 # shellcheck source=_lib/halt-check.sh
 source "$(dirname "$0")/_lib/halt-check.sh"
 check_halt
 REA_ROOT=$(rea_root)
 
-proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
-
-# 2. Capture stdin once.
-INPUT=$(cat)
+SHIM_NAME="blocked-paths-bash-gate"
+SHIM_INTRODUCED_IN="0.35.0"
+SHIM_FAIL_OPEN=0
+SHIM_ENFORCE_CLI_SHAPE=1
+SHIM_REFUSAL_NOUN="blocked_paths refusal"
 
-# 3. Resolve the rea CLI through the fixed 2-tier sandboxed order.
-REA_ARGV=()
-RESOLVED_CLI_PATH=""
-if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
-elif [ -f "$proj/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
-fi
-
-# 3b. Relevance pre-gate. Only used when the CLI is missing.
-if [ "${#REA_ARGV[@]}" -eq 0 ]; then
-  CLI_MISSING_CMD=""
+shim_cli_missing_relevant() {
+  local cli_missing_cmd=""
   if command -v jq >/dev/null 2>&1; then
-    CLI_MISSING_CMD=$(printf '%s' "$INPUT" | jq -r '
+    cli_missing_cmd=$(printf '%s' "$INPUT" | jq -r '
       (.tool_input.command // "") | tostring
     ' 2>/dev/null || true)
   else
-    CLI_MISSING_CMD="$INPUT"
+    cli_missing_cmd="$INPUT"
   fi
-  if [ -z "$CLI_MISSING_CMD" ]; then
-    # Empty/non-Bash payload → pre-0.35.0 body would have exited 0.
-    exit 0
+  if [ -z "$cli_missing_cmd" ]; then
+    return 1
   fi
-  # Empty policy.blocked_paths → no enforcement, exit 0.
-  POLICY_FILE="${REA_ROOT}/.rea/policy.yaml"
-  if [ ! -f "$POLICY_FILE" ]; then
-    exit 0
+  local policy_file="${REA_ROOT}/.rea/policy.yaml"
+  if [ ! -f "$policy_file" ]; then
+    return 1
   fi
-  # Substring scan: does the command mention any blocked_paths entry?
-  # Coarse — over-trigger is fine, under-trigger is the bypass we MUST
-  # avoid. Strip YAML quotes/comments via a minimal awk filter.
-  CLI_MISSING_RELEVANT=0
+  # 0.37.0: route blocked_paths reads through the unified policy-reader.
+  # shellcheck source=_lib/policy-reader.sh
+  source "$(dirname "$0")/_lib/policy-reader.sh"
+  local entry
   while IFS= read -r entry; do
     [ -z "$entry" ] && continue
-    case "$CLI_MISSING_CMD" in
-      *"$entry"*) CLI_MISSING_RELEVANT=1; break ;;
+    case "$cli_missing_cmd" in
+      *"$entry"*) return 0 ;;
     esac
-  done < <(awk '
-    /^blocked_paths:/ { in_block=1; next }
-    in_block && /^[[:space:]]*-/ {
-      sub(/^[[:space:]]*-[[:space:]]*/, "")
-      gsub(/^["'\'']/, "")
-      gsub(/["'\'']$/, "")
-      print
-      next
-    }
-    in_block && /^[^[:space:]-]/ { in_block=0 }
-  ' "$POLICY_FILE" 2>/dev/null)
-  if [ "$CLI_MISSING_RELEVANT" -eq 0 ]; then
-    exit 0
-  fi
-  printf 'rea: blocked-paths-bash-gate cannot run — the rea CLI is not built.\n' >&2
-  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
-  printf 'This shim fails closed because the pre-0.35.0 bash body enforced blocked_paths refusal without a CLI.\n' >&2
-  exit 2
-fi
-
-# 4. Realpath sandbox check.
-if ! command -v node >/dev/null 2>&1; then
-  printf 'rea: blocked-paths-bash-gate cannot run — `node` is not on PATH.\n' >&2
-  printf 'Install Node 22+ (engines.node) to restore blocked_paths refusal.\n' >&2
-  exit 2
-fi
-
-sandbox_check=$(node -e '
-  const fs = require("fs");
-  const path = require("path");
-  const cli = process.argv[1];
-  const projDir = process.argv[2];
-  let real, realProj;
-  try { real = fs.realpathSync(cli); } catch (e) {
-    process.stdout.write("bad:realpath"); process.exit(1);
-  }
-  try { realProj = fs.realpathSync(projDir); } catch (e) {
-    process.stdout.write("bad:realpath-proj"); process.exit(1);
-  }
-  const sep = path.sep;
-  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
-  if (!(real === realProj || real.startsWith(projWithSep))) {
-    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
-  }
-  // Codex round-1 P1 fix: enforce dist/cli/index.js shape (see
-  // settings-protection.sh).
-  const expectedEnd = path.join("dist", "cli", "index.js");
-  if (!real.endsWith(path.sep + expectedEnd) && real !== "/" + expectedEnd) {
-    process.stdout.write("bad:cli-shape"); process.exit(1);
-  }
-  let cur = path.dirname(path.dirname(path.dirname(real)));
-  let found = false;
-  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
-    const pj = path.join(cur, "package.json");
-    if (fs.existsSync(pj)) {
-      try {
-        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
-        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
-      } catch (e) { /* keep walking */ }
-    }
-    cur = path.dirname(cur);
-  }
-  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
-  process.stdout.write("ok");
-' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
-
-if [ "$sandbox_check" != "ok" ]; then
-  printf 'rea: blocked-paths-bash-gate FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
-  exit 2
-fi
-
-# 5. Version-probe.
-probe_out=$("${REA_ARGV[@]}" hook blocked-paths-bash-gate --help 2>&1)
-probe_status=$?
-if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'blocked-paths-bash-gate'; then
-  printf 'rea: this shim requires the `rea hook blocked-paths-bash-gate` subcommand (introduced in 0.35.0).\n' >&2
-  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
-  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
-  exit 2
-fi
+  done < <(policy_reader_get_list blocked_paths 2>/dev/null)
+  return 1
+}
 
-# 6. Forward stdin (already captured up-front).
-printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook blocked-paths-bash-gate
-exit $?
+# shellcheck source=_lib/shim-runtime.sh
+source "$(dirname "$0")/_lib/shim-runtime.sh"
+shim_run

package/hooks/blocked-paths-enforcer.sh

@@ -1,79 +1,54 @@
 #!/bin/bash
 # PreToolUse hook: blocked-paths-enforcer.sh
 # 0.35.0+ — Node-binary shim for `rea hook blocked-paths-enforcer`.
+# 0.38.0+ — migrated to `_lib/shim-runtime.sh` (shared runtime).
 #
-# Pre-0.35.0 the gate's full body lived here as bash (284 LOC). The
-# full bash body is preserved at
+# Write/Edit/MultiEdit/NotebookEdit-tier blocking gate. Full bash body
+# preserved at
 # `__tests__/hooks/parity/baselines/blocked-paths-enforcer.sh.pre-0.35.0`.
+# Migration in `src/hooks/blocked-paths-enforcer/index.ts`.
 #
-# Migration moves the enforcement logic (path normalization, traversal
-# reject, glob/prefix/exact matching, symlink resolution, agent-
-# writable allow-list) into `src/hooks/blocked-paths-enforcer/index.ts`.
-# This shim is the Claude Code dispatcher's view of the hook — it
-# forwards stdin to the CLI and exits with whatever the CLI returns.
+# SHIM_ENFORCE_CLI_SHAPE=1: 0.35.0 codex round-1 P1 — enforce
+# dist/cli/index.js shape.
 #
-# Behavioral contract is preserved byte-for-byte: exit 0 on allow,
-# exit 2 on HALT / blocked-paths match / malformed payload.
+# # Relevance pre-gate (CLI-missing only)
 #
-# # CLI-resolution trust boundary
-#
-# Mirrors the 0.32.0 final shim shape.
-#
-# # Fail-closed posture
-#
-# blocked-paths-enforcer is a Write/Edit/MultiEdit/NotebookEdit tier
-# security gate. The pre-0.35.0 bash body refused on uncertainty.
-# Early-exit branches fail closed AFTER the relevance pre-gate passes.
-#
-# # Relevance pre-gate
-#
-# Extract file_path / notebook_path from the payload, substring-scan
-# against the policy's blocked_paths entries. When CLI is missing AND
-# no policy.blocked_paths entry matches, exit 0. Empty/missing policy
-# → no enforcement, exit 0.
+# Extract file_path / notebook_path; substring-scan against any
+# policy.blocked_paths entry. Empty/missing policy → exit 0.
 
 set -uo pipefail
 
-# 1. HALT check.
 # shellcheck source=_lib/halt-check.sh
 source "$(dirname "$0")/_lib/halt-check.sh"
 check_halt
 REA_ROOT=$(rea_root)
 
-proj="${CLAUDE_PROJECT_DIR:-$REA_ROOT}"
-
-# 2. Capture stdin once.
-INPUT=$(cat)
+SHIM_NAME="blocked-paths-enforcer"
+SHIM_INTRODUCED_IN="0.35.0"
+SHIM_FAIL_OPEN=0
+SHIM_ENFORCE_CLI_SHAPE=1
+SHIM_REFUSAL_NOUN="blocked_paths refusal"
 
-# 3. Resolve the rea CLI through the fixed 2-tier sandboxed order.
-REA_ARGV=()
-RESOLVED_CLI_PATH=""
-if [ -f "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/node_modules/@bookedsolid/rea/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/node_modules/@bookedsolid/rea/dist/cli/index.js"
-elif [ -f "$proj/dist/cli/index.js" ]; then
-  REA_ARGV=(node "$proj/dist/cli/index.js")
-  RESOLVED_CLI_PATH="$proj/dist/cli/index.js"
-fi
-
-# 3b. Relevance pre-gate. Only used when the CLI is missing.
-if [ "${#REA_ARGV[@]}" -eq 0 ]; then
-  CLI_MISSING_FILE_PATH=""
+shim_cli_missing_relevant() {
+  local cli_missing_file_path=""
   if command -v jq >/dev/null 2>&1; then
-    CLI_MISSING_FILE_PATH=$(printf '%s' "$INPUT" | jq -r '
+    cli_missing_file_path=$(printf '%s' "$INPUT" | jq -r '
       (.tool_input.file_path // .tool_input.notebook_path // "") | tostring
     ' 2>/dev/null || true)
   else
-    CLI_MISSING_FILE_PATH="$INPUT"
+    cli_missing_file_path="$INPUT"
   fi
-  if [ -z "$CLI_MISSING_FILE_PATH" ]; then
-    exit 0
+  if [ -z "$cli_missing_file_path" ]; then
+    return 1
   fi
-  POLICY_FILE="${REA_ROOT}/.rea/policy.yaml"
-  if [ ! -f "$POLICY_FILE" ]; then
-    exit 0
+  local policy_file="${REA_ROOT}/.rea/policy.yaml"
+  if [ ! -f "$policy_file" ]; then
+    return 1
   fi
-  CLI_MISSING_RELEVANT=0
+  # 0.37.0: route blocked_paths reads through the unified policy-reader.
+  # shellcheck source=_lib/policy-reader.sh
+  source "$(dirname "$0")/_lib/policy-reader.sh"
+  local entry base
   while IFS= read -r entry; do
     [ -z "$entry" ] && continue
     # Substring scan — for directory prefixes the entry ends with /
@@ -84,97 +59,17 @@ if [ "${#REA_ARGV[@]}" -eq 0 ]; then
     case "$base" in
       */) base="${base%/}" ;;
     esac
-    # Strip glob wildcards for substring testing — `src/*.ts` becomes
-    # `src/` + `.ts`. The simplest safe form is to scan the literal
-    # part before the first `*`.
     case "$base" in
       *'*'*) base="${base%%\**}" ;;
     esac
     [ -z "$base" ] && continue
-    case "$CLI_MISSING_FILE_PATH" in
-      *"$base"*) CLI_MISSING_RELEVANT=1; break ;;
+    case "$cli_missing_file_path" in
+      *"$base"*) return 0 ;;
     esac
-  done < <(awk '
-    /^blocked_paths:/ { in_block=1; next }
-    in_block && /^[[:space:]]*-/ {
-      sub(/^[[:space:]]*-[[:space:]]*/, "")
-      gsub(/^["'\'']/, "")
-      gsub(/["'\'']$/, "")
-      print
-      next
-    }
-    in_block && /^[^[:space:]-]/ { in_block=0 }
-  ' "$POLICY_FILE" 2>/dev/null)
-  if [ "$CLI_MISSING_RELEVANT" -eq 0 ]; then
-    exit 0
-  fi
-  printf 'rea: blocked-paths-enforcer cannot run — the rea CLI is not built.\n' >&2
-  printf 'Run `pnpm install && pnpm build` (or `npm install` for a consumer install) to restore protection.\n' >&2
-  printf 'This shim fails closed because the pre-0.35.0 bash body enforced blocked_paths refusal without a CLI.\n' >&2
-  exit 2
-fi
-
-# 4. Realpath sandbox check.
-if ! command -v node >/dev/null 2>&1; then
-  printf 'rea: blocked-paths-enforcer cannot run — `node` is not on PATH.\n' >&2
-  printf 'Install Node 22+ (engines.node) to restore blocked_paths refusal.\n' >&2
-  exit 2
-fi
-
-sandbox_check=$(node -e '
-  const fs = require("fs");
-  const path = require("path");
-  const cli = process.argv[1];
-  const projDir = process.argv[2];
-  let real, realProj;
-  try { real = fs.realpathSync(cli); } catch (e) {
-    process.stdout.write("bad:realpath"); process.exit(1);
-  }
-  try { realProj = fs.realpathSync(projDir); } catch (e) {
-    process.stdout.write("bad:realpath-proj"); process.exit(1);
-  }
-  const sep = path.sep;
-  const projWithSep = realProj.endsWith(sep) ? realProj : realProj + sep;
-  if (!(real === realProj || real.startsWith(projWithSep))) {
-    process.stdout.write("bad:cli-escapes-project"); process.exit(1);
-  }
-  // Codex round-1 P1 fix: enforce dist/cli/index.js shape (see
-  // settings-protection.sh).
-  const expectedEnd = path.join("dist", "cli", "index.js");
-  if (!real.endsWith(path.sep + expectedEnd) && real !== "/" + expectedEnd) {
-    process.stdout.write("bad:cli-shape"); process.exit(1);
-  }
-  let cur = path.dirname(path.dirname(path.dirname(real)));
-  let found = false;
-  for (let i = 0; i < 20 && cur && cur !== path.dirname(cur); i += 1) {
-    const pj = path.join(cur, "package.json");
-    if (fs.existsSync(pj)) {
-      try {
-        const data = JSON.parse(fs.readFileSync(pj, "utf8"));
-        if (data && data.name === "@bookedsolid/rea") { found = true; break; }
-      } catch (e) { /* keep walking */ }
-    }
-    cur = path.dirname(cur);
-  }
-  if (!found) { process.stdout.write("bad:no-rea-pkg-json"); process.exit(1); }
-  process.stdout.write("ok");
-' -- "$RESOLVED_CLI_PATH" "$proj" 2>/dev/null)
-
-if [ "$sandbox_check" != "ok" ]; then
-  printf 'rea: blocked-paths-enforcer FAILED sandbox check (%s) — refusing.\n' "$sandbox_check" >&2
-  exit 2
-fi
-
-# 5. Version-probe.
-probe_out=$("${REA_ARGV[@]}" hook blocked-paths-enforcer --help 2>&1)
-probe_status=$?
-if [ "$probe_status" -ne 0 ] || ! printf '%s' "$probe_out" | grep -q -e 'blocked-paths-enforcer'; then
-  printf 'rea: this shim requires the `rea hook blocked-paths-enforcer` subcommand (introduced in 0.35.0).\n' >&2
-  printf 'The resolved CLI at %s does not implement it.\n' "$RESOLVED_CLI_PATH" >&2
-  printf 'Run `pnpm install` (or `npm install`) to sync the CLI; refusing in the meantime to preserve enforcement.\n' >&2
-  exit 2
-fi
+  done < <(policy_reader_get_list blocked_paths 2>/dev/null)
+  return 1
+}
 
-# 6. Forward stdin (already captured up-front).
-printf '%s' "$INPUT" | "${REA_ARGV[@]}" hook blocked-paths-enforcer
-exit $?
+# shellcheck source=_lib/shim-runtime.sh
+source "$(dirname "$0")/_lib/shim-runtime.sh"
+shim_run